A method, system, and computer-readable storage medium containing instructions for controlling access to data stored on a plurality of storage devices associated with a first platform. The method includes authenticating a user to access the first platform, wherein the first platform includes first and second storage devices, chipset encryption hardware, and a memory. Data stored on the storage devices are encrypted, with first data on the first storage device being encrypted by the chipset encryption hardware and second data stored on the second storage device being encrypted by another encryption mechanism. The data are decrypted and the user is allowed to access the first data and the second data.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: controlling access to data stored on a plurality of storage devices associated with a first platform by: authenticating a user to access the first platform, wherein the first platform comprises a first storage device of the plurality of storage devices, a second storage device of the plurality of storage devices, chipset encryption hardware, and a memory, first data stored on the first storage device are encrypted by the chipset encryption hardware using a first encryption key, second data stored on the second storage device are encrypted by another encryption mechanism and not by the chipset encryption hardware, and the second data are encrypted using a second encryption key; decrypting the first data stored on the first storage device; obtaining a container encryption key for a container stored in the memory; decrypting the container stored in the memory using the container encryption key, wherein the container comprises the second encryption key; using the second encryption key to decrypt the second data stored on the second storage device; allowing the user to access the first data and the second data; wrapping the first encryption key with a platform-independent token to produce a migration key; storing the migration key on the first platform; storing the platform-independent token in a secure location that is not on the first platform; migrating the first storage device to a second platform; and decrypting the first data on the second platform using the platform-independent token and the migration key.
2. The method of claim 1 further comprising: wrapping the second encryption key with a platform-independent token to produce a migration key; storing the migration key on the first platform; storing the platform-independent token in a secure location that is not on the first platform; migrating the second storage device to a second platform; and decrypting the second data on the second platform using the platform-independent token and the migration key.
3. The method of claim 1 further comprising: denying access to the first platform in response to a theft notification event.
4. The method of claim 3 wherein denying the access to the first platform comprises deleting the first encryption key and the second encryption key from the first platform.
5. The method of claim 3 wherein denying the access to the first platform comprises denying access to a migration package for the platform, wherein the migration package comprises the first encryption key and the second encryption key.
6. The method of claim 3 wherein denying the access to the first platform comprises denying access to a migration package for the platform, wherein the migration package comprises a first migration key for the first storage device and a second migration key for the second storage device.
7. The method of claim 3 wherein denying the access to the first platform comprises deleting at least one of the first encryption key and the second encryption key from a migration package for the platform.
8. The method of claim 3 wherein denying the access to the first platform comprises disabling hardware of the first platform.
9. The method of claim 3 wherein denying the access to the first platform comprises denying access to the container.
10. A non-transitory computer-readable storage medium comprising: controlling instructions to control access to data stored on a plurality of storage devices associated with a first platform; authenticating instructions to authenticate a user to access the first platform, wherein the first platform comprises a first storage device of the plurality of storage devices, a second storage device of the plurality of storage devices, chipset encryption hardware, and a memory, first data stored on the first storage device are encrypted by the chipset encryption hardware using a first encryption key, second data stored on the second storage device are encrypted by another encryption mechanism and not by the chipset encryption hardware, and the second data are encrypted using a second encryption key; decrypting instructions to decrypt the first data stored on the first storage device; obtaining instructions to obtain a container encryption key for a container stored in the memory; second decrypting instructions to decrypt the container stored in the memory using the container encryption key, wherein the container comprises the second encryption key; using instructions to use the second encryption key to decrypt the second data stored on the second storage device; allowing instructions to allow the user to access the first data and the second data; wrapping instructions to wrap the first encryption key with a platform-independent token to produce a migration key; storing instructions to store the migration key on the first platform; second storing instructions to store the platform-independent token in a secure location that is not on the first platform; migrating instructions to migrate the first storage device to a second platform; and third decrypting instructions to decrypt the first data on the second platform using the platform-independent token and the migration key.
11. The non-transitory computer-readable storage medium of claim 10 further comprising: wrapping instructions to wrap the second encryption key with a platform-independent token to produce a migration key; storing instructions to store the migration key on the first platform; second storing instructions to store the platform-independent token in a secure location that is not on the first platform; migrating instructions to migrate the second storage device to a second platform; and third decrypting instructions to decrypt the second data on the second platform using the platform-independent token and the migration key.
12. The non-transitory computer-readable storage medium of claim 10 further comprising: denying instructions to deny access to the first platform in response to a theft notification event.
13. The non-transitory computer-readable storage medium of claim 12 further comprising: deleting instructions to delete the first encryption key and the second encryption key from the first platform.
14. The non-transitory computer-readable storage medium of claim 13 further comprising: second denying instructions to deny access to a migration package for the platform, wherein the migration package comprises the first encryption key and the second encryption key.
15. The non-transitory computer-readable storage medium of claim 13 further comprising: second denying instructions to deny access to a migration package for the platform, wherein the migration package comprises a first migration key for the first storage device and a second migration key for the second storage device.
16. The non-transitory computer-readable storage medium of claim 13 further comprising: deleting instructions to delete at least one of the first encryption key and the second encryption key from a migration package for the platform.
17. The non-transitory computer-readable storage medium of claim 13 further comprising: disabling instructions to disable hardware of the first platform.
18. The non-transitory computer-readable storage medium of claim 13 further comprising: second denying instructions to deny access to the container.
19. A system comprising: a controlling module to control access to data stored on a plurality of storage devices associated with a first platform; an authenticating module to authenticate a user to access the first platform, wherein the first platform comprises a first storage device of the plurality of storage devices, a second storage device of the plurality of storage devices, chipset encryption hardware, and a memory, first data stored on the first storage device are encrypted by the chipset encryption hardware using a first encryption key, second data stored on the second storage device are encrypted by another encryption mechanism and not by the chipset encryption hardware, and the second data are encrypted using a second encryption key; a decrypting module to decrypt the first data stored on the first storage device; an obtaining module to obtain a container encryption key for a container stored in the memory; a second decrypting module to decrypt the container stored in the memory using the container encryption key, wherein the container comprises the second encryption key; a using module to use the second encryption key to decrypt the second data stored on the second storage device; an allowing module to allow the user to access the first data and the second data; a wrapping module to wrap the first encryption key with a platform-independent token to produce a migration key; a storing module to store the migration key on the first platform; a second storing module to store the platform-independent token in a secure location that is not on the first platform; a migrating module to migrate the first storage device to a second platform; and a third decrypting module to decrypt the first data on the second platform using the platform-independent token and the migration key.
20. The system of claim 19 further comprising: a wrapping module to wrap the second encryption key with a platform-independent token to produce a migration key; a storing module to store the migration key on the first platform; a second storing module to store the platform-independent token in a secure location that is not on the first platform; a migrating module to migrate the second storage device to a second platform; and a third decrypting module to decrypt the second data on the second platform using the platform-independent token and the migration key.
21. The system of claim 19 further comprising: a denying module to deny access to the first platform in response to a theft notification event.
22. The system of claim 21 further comprising: a deleting module to delete the first encryption key and the second encryption key from the first platform.
23. The system of claim 21 further comprising: a second denying module to deny access to a migration package for the platform, wherein the migration package comprises the first encryption key and the second encryption key.
24. The system of claim 21 further comprising: a second denying module to deny access to a migration package for the platform, wherein the migration package comprises a first migration key for the first storage device and a second migration key for the second storage device.
25. The system of claim 21 further comprising: a deleting module to delete at least one of the first encryption key and the second encryption key from a migration package for the platform.
26. The system of claim 21 further comprising: a disabling module to disable hardware of the first platform.
27. The system of claim 21 further comprising: a second denying module to deny access to the container.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 31, 2008
January 24, 2012
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.